@ISACA Volume 23  13 November 2019

Tips for Improving Risk Assessment and Analysis

By Lisa Young, CISA, CISM

In honor of ISACA’s 50th anniversary, this column seeks to provide tips on an area of risk management that has been very slow to change—quantitative risk and decision analysis. Risk, by definition, is a forward-looking activity designed to help an enterprise plan for and react to unforeseen impacts. The objective of risk identification is to identify all risk, not to eliminate risk scenarios from consideration or to develop solutions for mitigating specific types of risk—those steps are carried out during the risk analysis and risk response processes. Emerging risk and unique risk such as cyberrisk may not be sufficiently represented by conventional qualitative methods of risk assessment and management. These new types of risk also illustrate the interconnected nature of threat, risk, crisis and disaster, and how discrete events can be triggers for additional risk or cascading risk within the tightly interconnected and technology-dependent systems in which most enterprises operate.

Here are some tips to improve each step of the risk management process with some suggestions for quantitative analysis methods and better decision-making techniques:

  • Set the context for risk management—This means the areas, functions, business units or other scope are chosen for the proactive identification of risk. Scenario analysis is helpful in this step of the process because it allows brainstorming, discussion and assumptions about risk scenarios to be transparent. The other analysis technique that is useful in this phase is the development of organization-specific impact criteria. Impact criteria give risk meaning and help the enterprise set organization-specific risk appetites or risk tolerances. Impact criteria apply to the enterprise and reflect the areas that are most relevant to the business or mission objectives. A good general starter set of impact criteria should, at a minimum, include financial, productivity, business interruption tolerances, tangible losses, physical security, life, health and safety, fines, and legal penalties.
  • Identify threats, conditions, areas of concern or known risk to business or mission objectives—Often there is not a proactive risk identification process in an organization, which means there is no way to raise an area of concern to the proper level in the organization for decision-making. In my work with boards or governance committees, risk is often raised up through the audit process rather than a proactive risk identification process. In every single realized risk, crisis or incident that I have analyzed in my career, someone knew there was a condition or circumstance that could lead to something bad happening, but there was no way for them to articulate it or raise a concern that could then be subject to the analyses processes and requisite decision-making techniques.
  • Perform some assessment (usually qualitative) or analysis (usually quantitative) on the threat, condition or concern to decide on a course of action—Threats, conditions or concerns that are assessed or analyzed to potentially have a significant enough impact on the business if realized may also be evaluated for probability of occurrence. My preference for analysis in this phase of the process is to use the maximum foreseeable loss (MFL) or the maximum probable loss (MPL) analysis methods as these methods are able to help management understand the total financial impact on the enterprise should the risk be realized. MFL and MPL are best coupled with a thorough set of relevant risk scenarios with well-stated assumptions.
  • Develop a risk register based on risk tolerance—If a risk is out of tolerance with the impact criterion (developed previously), the risk is entered into a list of risk, sometimes called a risk register, and a plan of action for a next step or response can be determined. This step in the risk management process often requires further analysis of the risk factors to determine an effective course of action or cost-justification for a plan of remediation. My preference for decision analysis in this phase of the process is to use a Monte Carlo modeling and simulation analysis to rank-stack, or prioritize, the list of risk in a risk register for appropriate responses. Monte Carlo simulations view risk as a function of likelihood (frequency of something happening) and impact. Although these may be important measures, likelihood and impact are not the whole picture. Unlikely events occur all too often, and many likely events never materialize. Using this method can be particularly unhelpful for making risk transfer decisions if coupled with annual loss expectancy (ALE). ALE spreads the MPL over a time horizon that may distort or minimize the actual financial losses that would be realized if the risk was realized. For example, using a Monte Carlo simulation for a given scenario determines the impact of a specific cyberrisk to be US$350 million should it occur. Combining the result of the Monte Carlo model analysis of US$350 million with ALE of the probability of this risk materializing once every 10 years spreads the US$350 million impact over a period of 10 years. This specific cyberrisk then gets put on the risk register as a potential US$35 million loss, which could be in tolerance for the organization. However, when the specific cyberrisk that was modeled actually materializes in a given year, the enterprise has a loss event of US$350 million, not US$35 million. The organization might have responded with different mitigation or risk transfer options had it known of the full potential magnitude (MFL) of the loss before it materialized.
  • Monitor “risk under management”—"Risk under management” is then monitored, reported upon or closed when the risk is deemed to be in an acceptable range for the enterprise. In this stage of risk management, one analysis technique that is helpful is the development of risk indicators. My preference for developing risk indicators, some of which might result in key risk indicators, is to use 2 methods: root cause analysis (RCA) and Goal-Question-Indicator-Metric (GQIM). Both methods help with the feedback loop that is needed to improve the risk management process.

I hope these methods will spark a fresh look at your risk management processes. Stay tuned for more details on risk management and practitioner analysis techniques in the future as ISACA refreshes The Risk IT Framework and The Risk IT Practitioners Guide.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Applying COBIT to Vendor Risk Management


Source: sarote
Getty Images

Almost all enterprises today employ third-party vendors or suppliers. When outsourcing any product or service, risk must be assessed. Successful enterprises separate themselves from unsuccessful ones in how they govern and manage their risk, especially around third parties. While there are many different standards and documents that outline how to manage third-party risk, the COBIT framework provides a holistic solution.

To explore the dynamic world of managing risk using COBIT as a framework, attend the “Managing Third-Party Risk With COBIT” webinar presented by ISACA. This webinar, which takes place on 14 November at 11AM CST (UTC -6 hours), will use real-world examples to illustrate the practices and activities enterprises should implement into their risk management processes. ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Mark Thomas, CRISC, CGEIT, COBIT Assessor, president at Escoute Consulting, is an internationally known governance, risk and compliance (GRC) expert specializing in information assurance, IT risk, IT strategy, service management and digital transformation. Thomas has a wide array of industry experience including government, healthcare, finance/banking, manufacturing and technology services. He will use his experience in those industries paired with his knowledge of COBIT to help you understand the application of COBIT risk practices and activities on third-party risk management.

To learn more about this webinar or to register for it, visit Managing Third-Party Risk With COBIT page of the ISACA website.


What Is in Store for the Next Gen Auditor?


The IT audit profession is changing and evolving, and the IT auditor must change and evolve with it. The next generation of audit emphasizes looking toward the future rather than only examining the past. Auditors must be able to leverage the power of new tools and capabilities, such as artificial intelligence (AI), robotic process automation (RPA) and data analytics. The ISACA Journal, volume 6, 2019, includes articles about the impact of these new technologies and what this impact means to the IT auditor.

The Journal volume features articles explaining how AI will enhance but not replace the audit profession, exploring how RPA is becoming common practice and describing how data analytics influence the world of audit. Additionally, this issue features new “Information Security Matters,” “Innovation Governance,” “The Practical Aspect” and “IS Audit Basics” columns.

To read the ISACA Journal, volume 6, 2019, and to earn continuing professional education (CPE) hours by taking Journal quizzes, visit the ISACA Journal page of the ISACA website. 

Invest in Your Future and Save With ISACA Membership


Continuing education and pursuing new certifications allows you to invest in your career and yourself. By joining ISACA you receive discounted access to global industry conferences, save on certification exams and prep materials, and can earn up to 72 hours of free continuing professional education (CPE) hours annually. The savings that membership pricing offers can even offset the price of ISACA membership dues. In addition to monetary savings, ISACA members also have access to tools and valuable resources including the Career Centre, a member-exclusive online job fair, the latest research and technical briefings from Massachusetts Institute of Technology (MIT) (Cambridge, Massachusetts, USA), and the ISACA Journal.

Right now, if you join ISACA as a 2020 member, you will receive access to member benefits, resources and tools for the remainder of 2019. If you already are an ISACA member and would like to continue reaping the benefits of your membership, you can renew your 2020 ISACA membership and/or certifications by logging into your account.

Please note that ISACA membership runs on the calendar year. Individuals who are renewing either their 2020 membership and/or certifications will need to complete their payment and/or enter CPE hours before 31 December 2019. To learn more about the benefits of ISACA membership, visit the IT Professional Membership Benefits page of the ISACA website. If you have any questions about joining or renewing your membership or would like to sign up today, visit the Membership page of the ISACA website.


ISACA Gives Back Around the World


On 5 October 2019, 2,800 volunteers gathered around the world to give back to their communities during ISACA’s first-ever worldwide day of volunteerism, ISACA CommunITy Day. The 1-day event kicked off in Auckland, New Zealand, and spread across the globe to Hawaii, USA.

ISACA staff, members from 91 chapters, and family and friends spent the day volunteering their time in a variety of projects. Members in Melbourne, Australia, generously gave blood and volunteered at the Australian Red Cross blood drive. In Kenya, volunteers gave donations, helped clean and facilitated events at Heritage Faith and Hope Children’s Home. Participants in Atlanta, Georgia, USA, joined the 1 Million Meal Pack initiative with the Atlanta Hawks professional basketball team to pack healthy meals for children and families in need. The China Hong Kong Chapter volunteer group used their tech skills to give a smartphone tutorial to seniors, and members in Valencia, Spain, gathered to clean up the beach and promote environmental awareness.

Overall, 51 countries were represented during ISACA CommunITy Day, and participants created 122 local volunteer opportunities and logged more than 6,100 hours of service.

The inaugural CommunITy Day was a success in connecting ISACA’s members and staff while making a meaningful difference in communities across the globe and will continue to be an ISACA tradition. Mark your calendars for next year—CommunITy Day will take place annually on the first Saturday in October. To learn more about this year’s projects and their impact, visit the ISACA CommunITy Day Impact page on the Engage website.